HAProxy Configuration

Updated on 17 Oct 2020
1 Minute to read

Print
Share
Dark

Light
PDF

It is recommended to run HAProxy with an SSL-termination style of configuration. This will allow the proxy to forward agent connection information to the SecureCircle server nodes.

The SSL certificate and associated private key must be given to HAProxy in one PEM file.

Information

http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-crt
It designates a PEM file containing both the required certificates and any associated private keys. This file can be built by concatenating multiple PEM files into one (e.g. cat cert.pem key.pem > combined.pem). If your CA requires an intermediate certificate, this can also be concatenated into this file.

It is assumed the SecureCircle server nodes will be listening for HTTPS traffic on port 443 using a self-signed or other certificate.

haproxy.cfg

global
        daemon
 
        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3
 
defaults
        mode    http
        timeout connect 5000
        timeout client  50000
        timeout server  50000
 
frontend http-in
        # The balancer will listen to port 80 and redirect to HTTPS
        bind *:80
        redirect scheme https if !{ ssl_fc }
        # The balancer will terminate SSL traffic on port 443 using the specified PEM keychain
        bind *:443 ssl crt /path/to/your/keychain.pem
        # Traffic will be redirected to the nodes backend
        default_backend nodes
 
backend nodes
        # Inject headers so the nodes know agent information
        option forwardfor
        http-request add-header X-Consumer-IP %[src]
        # Balance connections across servers using a round-robin approach
        balance roundrobin
        # Ensure nodes are healthy before routing traffic to them
        option httpchk GET /web/login.html
        # Servers that will be routed to
        # It's recommended to replace "ssl verify none" with:
        # ssl verify required ca-file /path/to/server-ca
        # ca-file will either be the server's self signed cert or CA cert(s)
        server SC01 172.17.0.2:443 check ssl verify none
        server SC02 172.17.0.3:443 check ssl verify none
        server SC03 172.17.0.4:443 check ssl verify none

Was this article helpful?

What's Next

Optional External Component Integration with SecureCircle SaaS

SecureCircle delivers a SaaS-based cybersecurity service that extends Zero Trust security to data on the endpoint. At SecureCircle, we believe frictionless data security drives business value for our customers. Instead of relying on complex reactive measures, we simply secure data persistently in transit, at rest, and even in use. End users operate without obstacles, while data is continuously secured against breaches and insider threats.

Company

Collateral